Cyber security: The threat from within

Posted on : 30-04-2015 | By : Jack.Rawden | In : Cyber Security

Tags: , , , , , , , , , , ,


Cyber security, as ever, has been a widely discussed topic in Broadgate over the past few weeks.  Numerous cyber-attacks have made the news, from the TV5Monde hack to the recent article in the financial times stating that cyber criminals are some of the fastest innovators currently in technology.

However, with the focus of attention being outside, the question is, is there an enemy within? Organisations have spent big money and devoted a lot of resource to protect itself against external threats and have built strong defences with firewalls, anti-virus software, mail filters and numerous other filters used extensively to protect itself.  But have they left themselves vulnerable from the inside?

What if an employee’s password has been hacked and an intruder is stealing information?
What if an employee was accessing sensitive information that they shouldn’t?
Are you able to track malware that has already made it past the external defences?

Once a person is past the external defences the level of access they might get and the potential for misuse is often worrying.  Organisations can find it difficult to identify such inside threats, or by the time they have recognised them it may be too late and the leak has already happened. This is made ever more difficult to monitor by the increasing complexity of an organisations network. The amount of data stored and number and type of devices connecting to it makes it harder than ever to monitor usage.

Evidence of this can be found in the 2014 Information security breaches survey conducted by PWC.  Almost 60% of organisations have encountered staff related security breaches with 20% caused by deliberate misuse of computer systems.

55% of large businesses were attacked by an unauthorised outsider in the last year
73% of large organisations suffered from infection by viruses or malicious software in the past year
58% of large organisations suffered staff-related security breaches
31% of the worst security breaches in the year were caused by inadvertent human error
20% of the worst security breaches were caused by deliberate misuse of computer systems

More significant and what can’t be tracked is the damage that may occur to an organisation if a leak does occur.  Reputational damage for private organisations could be the most damaging, especially if the breach is widely publicised in the press.  With this could come a monetary loss though loss of clients or potential fines from regulators – the information commissioner’s office has the power to fine organisations up to £500,000 for the misuse of personal data on UK citizens.

With this threat looming over organisations, what can be done to protect itself?  Solutions present themselves as policy, procedure and innovative technologies that can monitor and identify such misuse. Here are a few pointers;

Effective IT usage policy – Simpler, shorter implementations

  • Establish a person responsible for security
  • Classify data into confidential, internal and public data
  • Limiting and tracking access to important documents/files should be a deterrent to anyone trying to steal data from inside the network.
  • Limiting the use of external storage devices such as USB sticks and limiting access to file sharing sites including webmail
  • Identify the data “Crown jewels” – the data that if it were to leak would have the biggest financial/reputational damage.  Ensuring these types of files are encrypted with limited access
  • Customised role based training of staff

Monitoring – Medium/long term implementation

  • Use specialist security software to track files and malware entering/leaving the network.  Tools such as Fire eye or Dark trace can use advanced tracking functionality to spot unusual behaviour on a network. Tools like this have the ability to track unusual network behaviour as well as unusual user behaviour.
  • Consider tools such as Dtex deployed on an individual’s PC to monitor behaviour.  Capturing changes in user patterns (e.g. an employee getting ready to leave the organisations), High risk pattern behaviour or finding what information was lost on a laptop left on a train.
  • Other monitoring solutions such as Digital Shadows to track data that has left the internal boundary to calculate the amount of exposure you have outside the organisation.  Even tracking data on social media and the “Dark web”.
  • Controlled environment – Four Eyes check of files leaving the network to ensure sensitive files are not being sent externally

These types of attack are difficult to stop completely as they revolve around the people using the systems.

However, with better controls, methods to identify unusual activity and misuse the objective is that potential losses are captured and remediated as quickly as possible.



The Reporting Line of the CISO is Key to Success

Posted on : 30-04-2015 | By : john.vincent | In : Cyber Security

Tags: , , , , , , ,


This article examines the organisational relationships between the role of the Chief Information Security Officer (CISO) and the corporate environment around it, with a focus on why reporting lines are essential and how they should be structured.

Why is the reporting line of the CISO still a hot topic amongst Security communities?

The actual role of the CISO varies greatly from one organisation to another – even if, on paper, job descriptions often look similar.

Of course, the best reporting line for the CISO is the one that positions the role in the best way within the organisation – in relation to the real challenges that the CISO is expected to resolve.

But in practice, corporate governance across large organisations also varies greatly, depending of industry sectors and geographical dispersion. Many large organisations operate (efficiently or not) matrix organisations – and, in those cases, it’s unlikely that the CISO will have a single reporting line, leading to a large number of variations where formal and informal authority have to be combined. This is well analysed by Peter Berlich in a recent post.

Annual surveys published by the Big 4 consultancy firms over the past 10 years have been highlighting such diversity, and show that the reporting lines now span almost the entire spectrum of board members (including the CEO, COO, CAO, CFO, CRO and Legal counsel). Results indicate that a reporting line to the CIO seems to be the most common in the field, however, this still only accounts for approximately one third of the responses to the surveys on average (with all caveats due to the fact that the methodologies vary from one firm to another and respondents could be different from one year to the next).

Reporting lines into IT departments (at levels below the CIO) remain common in many industries, for example accounting for up to 26% of respondents in the Life Sciences sector according to the EY 2014 Global Information Security Survey. Reporting lines into audit and compliance departments are still commonplace today.

In addition, many of these job titles – in particular, the COO, CAO, CRO and CIO – could hide a variety of actual roles and individual profiles. This is particularly true in larger firms, where multiple reporting and “dotted lines” can also lead to situations where accountability is seen as a vague and relative concept.

In short, the current situation seems to reflect the confusion that has been surrounding Information Security Strategy and Governance for the past 10 to 15 years. Beyond the natural diversity of the CISO roles in terms of content, it seems that many large organisations have treated the CISO reporting line in a casual and ambiguous manner, instead of positioning it in the best way to protect themselves against the genuine threats they’re facing.

How important is the reporting line of the CISO?

The reporting line of the CISO is the most essential channel of authority, as it presents to all stakeholders – in an un-equivocal manner – the real level of importance placed on Information Security by the organisation.

Because Information Security is a matter that cuts across too many corporate silos (HR, Legal, Business Units and IT etc.), matrix reporting and “dotted lines” should be avoided. These multiple reporting lines are rarely efficient, rarely understood fully and generally add to the confusion. This can hinder the leadership of the CISO and their ability to deliver.

It is key to go back to basic organisational principles. Ideally, the CISO should have a single reporting line – positioned at a level in the organisation that will maximise the impact of the role. The profile of the CISO should be adequate and suited to a Board-level reporting line and the CISO should have the gravitas, credibility and management experience to influence their peers (as discussed in the Corix Partners February 2015 feature on the C-Suite blog). If the Board feels that’s not the case, the Board should start by addressing this issue.

If the CISO is expected to get things done across the organisation, the reporting line should be to the CIO or the COO – as these executives are most likely to be the closest to Information Security matters within an organisation.

But ultimately, the actual reporting line decision should be made at Board level – and based on the results of a high level assessment of the maturity of security controls across the organisation.

From that point, the Board should be able to focus on inspiring the right spirit for the role – and there are, broadly speaking, three different types of profiles the CISO can fall under:

The CISO as a Figurehead

The Board may feel that the business is well-protected against Information threats and that the CISO needs to be a “figurehead” – a well-networked senior executive, credible with business leaders and capable of representing the firm at conferences and global events. A reporting line to the CEO or another board member (possibly the COO) may be suitable, particularly for industry sectors or smaller firms where controls are already a mindset.

The CISO as a Firefighter

If the Board is primarily driven by short-termist views and concerned only with the resolution of recurring audit or compliance matters, its priorities will almost always drive a tactical agenda. The CISO will end up in a complex programme manager role, constantly having to influence stakeholders and act as a “firefighter” to keep projects on track – ensuring priorities remain set as they should be across IT and the business.

A reporting line to the CIO or the COO is essential in such context, given the complexity of the CISO role and the cross-silo nature of Information Security challenges. Delegating down must be avoided at all costs, simply because it sends a highly dangerous message across the organisation. Irrespective of the personal profile of the CISO, downward delegation implies that Information Security is not that important and can only fuel internal politics and confuse prioritisation amongst stakeholders.

But this alone is not sufficient enough to ensure success, and the actual success of the CISO will rely entirely on having a proper Information Security Governance Framework in place to ensure that all stakeholders have a clear understanding of their respective roles and responsibilities in the programme delivery, and the way C-level management will be involved.

Most tactical approaches in the Information Security space fail simply because they compromise too much on the last two points.

The CISO as a Change Agent

If the Board is concerned about the maturity level of controls and wants to drive lasting improvements across the organisation, the CISO needs to be a “change agent”. It’s in this situation that the positioning of the reporting line is most critical.

The reporting line must be given, without exception, to a control-minded senior executive that the Board trusts to supervise change in the Information Security space. Again, this should ideally be the CIO or the COO – and delegating down must still be avoided at all costs, as this is one of the most common failure factors.

Where controls maturity issues are serious enough – particularly in large organisations with a high Internet footprint facing serious cyber security challenges that may bring the whole business down – the CEO must consider whether the situation has reached a critical point.  Here, a direct involvement in the resolution of these issues is required and the CEO must consider taking the CISO role as a direct report as a result.

In other situations, where controls maturity is low, it’s the need to drive improvement that should be a key factor in the reporting line decision – not arbitrary separation of duties considerations. Separation of duties considerations are often negative organisational devices aimed at dealing with conflicts of priorities generated by non-control-minded executives. In large organisations, these considerations can create more problems than they solve, by engineering arbitrary political barriers with the potential to damage the CISO’s leadership ability and hinder change delivery. Internal politics often make it extremely hard to influence change “across the fence” (i.e. in parts of the organisations where you don’t belong).

It is key to look at the problem from a positive angle and only give the CISO reporting line to a control-minded senior executive who can be trusted by the Board on their prioritisation, because the key issues are in their area of accountability.

How to determine the best reporting line for the CISO?

The prime focus should be on delivering results, based on a thorough examination of the prime operational focus of the organisation (People/Process/Technology) and its dependency on information attributes (Confidentiality/Integrity/Availability). The CISO reporting line should be positioned in the area where the most change is required and where most of the efforts will be targeted.



 Fig 1 – Recommended Reporting Line for the CISO position

If most of the problems are in IT, the reporting line of the CISO should be to the CIO. If most of the problems are outside IT, the reporting line of the CISO should be to the COO.

Multiple lines of defence and separation of duties considerations must come second to, or be wrapped around, the need to drive results – in particular where Information Security maturity levels are low. Those can be left for the CIO or the COO to drive, as mentioned in this February 2015 feature on the C-Suite blog.

If these individuals are not control-minded or the Board feels they cannot be trusted with a Security change programme (or if these individuals simply think they’re too busy to take on the role), the Board should ask itself whether it is the attitude that the CIO or COO shows towards Security and controls which is the root cause of the low maturity situation the Board is aiming to resolve.


This article was courtesy of one of close partners, Corix (details below).

JC Gaillard (

Managing Director

Corix Partners